COPPA – Gigaomhttp://gigaom.com
The industry leader in emerging technology researchWed, 21 Feb 2018 21:16:20 +0000en-UShourly1Google has a growth plan based on kids, report sayshttp://gigaom.com/2014/08/18/google-has-a-growth-plan-based-on-kids-report-says/
http://gigaom.com/2014/08/18/google-has-a-growth-plan-based-on-kids-report-says/#commentsMon, 18 Aug 2014 17:27:25 +0000http://gigaom.com/?p=865867Children under the age of 13 are a massive and relatively untapped market for internet companies due to federal privacy laws, but now Google is ready to risk those treacherous legal waters in order to sign them up.

According to the Information (subscription required), Google is preparing features like a kid-safe version of YouTube and a parental dashboard in order to attract more kids onto its sprawling web platform, which also includes products like Gmail and Chrome.

Such moves by [company]Google[/company] would echo similar initiatives by [company]Facebook[/company], which has reportedly been experimenting with “under-13 features” since at least 2012.

For the internet giants, signing up the under-13 crowd is a big opportunity, in part because millions of young people reportedly use their services under false credentials already. And given their growing role as authentication and identity platforms, it makes strategic sense for Google and Facebook to get their hooks into young users early — something that will be easier to do if the kids’ parents help them with the process.

The role of parents is not just a marketing strategy, of course, but a legal necessity as well. And the pressure on companies is even higher since the Federal Trade Commission expanded rules last year that require “verifiable parental consent” if a company wants to collect personal information from users under 13.

For the companies, getting proof of this consent is not easy. The FTC suggests various methods, including getting signed letters from the parents or “Having the parent call a toll-free telephone number staffed by trained personnel.”

Taking such steps would amount to a significant burden for tech companies that typically shy away from regulatory-intense activities, but realistically they have little choice since federal law that protects the under-13’s, known as COPPA, provides nasty penalties for companies that violate it — just ask struggling social network Path, which agreed to pay $800,000 last year to settle claims over 3,000 under-age accounts.

But for Google, which did not immediately reply to a request for comment, the legal hassle appears to be worth the chance to sign up millions of ever-younger users.

]]>http://gigaom.com/2014/08/18/google-has-a-growth-plan-based-on-kids-report-says/feed/1Kids’ privacy rules kick in July 1: what it means for the app industryhttp://gigaom.com/2013/06/28/kids-privacy-rules-kick-in-july-1-what-it-means-for-the-app-industry/
http://gigaom.com/2013/06/28/kids-privacy-rules-kick-in-july-1-what-it-means-for-the-app-industry/#commentsFri, 28 Jun 2013 17:45:20 +0000http://gigaom.com/?p=662558Mobile app makers that target children may not be ready for new privacy rules, which go into effect on Monday and can impose penalties of up to $16,000 per violation. The rules update a federal law known as COPPA, and require kids’ app makers to get parents’ permission before collecting even the most basic data — a challenging situation for many app makers that supply apps for free and use data to attract advertisers.

According to a new Wall Street Journalinvestigation into dozens of popular kids’ apps, many of the apps are still collecting data from children directly or via third parties like ad networks or analytics companies such as Flurry.

To avoid violating the COPPA rules, many of the app makers may have to unplug these services by Monday. The other alternative is to comply with a strict permission regime that require a parent to authorize a child joining a social network, or sharing data like first and last name, street name or photographs. The rules also require kid-targeted apps and websites to post privacy policies.

The updated rules coincide with concern over “bait apps” (which can induce kids into spending hundreds of dollars on items like digital fish — leading Apple(s aapl) to pay a legal settlement) and over app makers who encourage kids to share information like their email address or location. One of the most egregious violations occurred last year when social network Path scraped the address books of more than 3,000 children under 13, and collected their photos, precise location and written “thoughts.” The FTC responded by fining Path $800,000.

While the COPPA rules to protect children’s privacy have been around since 1998, the FTC issued an amended rule in December to increase their scope and specifically target app makers. A guide to the update explains “that younger children are particularly vulnerable to overreaching by marketers” and makes clear that COPPA now covers app “plug-ins” that suck data from the app as well as ad networks.

While the rules about collecting data from children are clear-cut, there are gray areas over which apps or websites are affected by them. What, for instance, is an app targeted to children? According to the FTC, the agency will consider things like visual content, the use of animated characters and the presence of child celebrities.

The rules may be popular with parents, but some in the tech community have complained they will hurt business and provide fodder for opportunistic privacy groups and their lawyers.

Apps and websites that are primarily geared at teens and adults will not be affected by the new rules, even if those under 13 do sign on to their sites. In the case of children who lie about their age to get on a site like Facebook(s fb), the company will be held liable only if they had actual knowledge that the user is not 13.

Correction: an earlier version of this story stated that the updated rule was passed by Congress; the FTC issued the new rule.

Path, the San Francisco-based startup that offers private social networking services, has reached a settlement with the Federal Trade Commission (pending judicial approval) on alleged violations of the Children’s Online Privacy Protections Act (COPPA). As part of the settlement, the company will pay a fine of $800,000 and has purged about 3,000 accounts from the network. The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years, the FTC said in a statement.

The discovery of the underage members came as a byproduct of the FTC investigation into the privacy fiasco over the uploading of iPhone address books to Path’s servers without the permission of the individuals. That privacy breach became a major headache for the company, including stoking the ire of a very irate Apple. The company later changed its policies.

“Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” said FTC Chairman Jon Leibowitz. “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”

In addition to the $800,000 civil penalty, Path is prohibited from making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers’ personal information. The proposed settlement also requires Path to delete information collected from children under age 13 and bars future violations of COPPA. Path has already deleted the address book information that it collected during the time period its deceptive practices were in place.

Dave Morin, Path’s founder and chief executive officer, said that the company had identified the accounts in February 2012 and by May 2012 had implemented changes to its sign-up process that automatically caught the underage sign-ups. Path discovered the issue on its own and addressed it (that is, they removed and blocked minors under the age of 13 from the service) before the FTC approached the company, Morin said. Path is currently compliant with COPPA rules. Morin said that the typical Path user is about 25 years old. The company, which has about 6 million registered users, is targeting families for using Path to share personal moments, so this particular settlement offers up a new and unique set of challenges to the company.

Morin said that the big reason the underage children were able to get into the network is because the company didn’t have requisite checks and balances in the system. In a blog post that the company shared with us, Morin explained:

Today the United States Federal Trade Commission (FTC) announced that it reached a settlement pending court approval with Path regarding alleged violations of the Children’s Online Privacy Protections Act (COPPA). The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.

As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.

We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.

Throughout this experience and now, we stand by our number one commitment to serve our users first.

Path has raised a total of $41.2 million from investors such as Index Ventures, Kleiner Perkins Caufield & Byers and Redpoint Ventures. It was rumored that Google offered a couple hundred million dollars for the company.

Path’s iOS app (yes, that same Path that was caught stealing users’ entire address books last February) will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when you’ve explicitly disabledLocation Services for the Path application. (The app knows, of course, that it’s not getting location data via normal means from Location Services, yet behaves this wayeven in that case.)

]]>http://gigaom.com/2013/02/01/path-reaches-settlement-with-ftc-agrees-to-pay-800000-fine-for-coppa-violations/feed/1FTC: Apple, Google don’t have to police app stores for kids’ privacy violationshttp://gigaom.com/2012/12/19/ftc-apple-google-dont-have-to-police-app-stores-for-kids-privacy-violations/
Wed, 19 Dec 2012 19:25:42 +0000http://gigaom.com/?p=596070Signaling its growing concern about children’s privacy, the Federal Trade Commission on Wednesday updated the Child Online Privacy Protection Act to cover web and mobile apps. The commission instituted new rules that state app makers have to get parental consent when it comes to sharing the personal information, like photos and location. But the commission also ruled that it is not holding app store owners responsible.

The definition of an operator has been updated to make clear that the Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.

The Wall Street Journal reports that Apple(s AAPL) and Google(s GOOG) lobbied heavily to get that exemption written into the rules, and that the iOS App Store owner “made that point in five meetings with FTC officials in the fall.”

The FTC first proposed updates to the act this summer. Then last week, it released a report in which it looked at 400 apps across both Apple and Google’s mobile ecosystems. Among other things, it found that 59 percent of apps made for kids transmitted information to third parties, 58 percent contained advertising without any notice, while 80 percent didn’t even have privacy policies posted.

The new rules announced Wednesday are intended to strengthen kids’ privacy and give parents more control over the services their kids or using. Among other tweaks to the rules, the FTC also announced that “persistent identifiers” like Apple’s UDID or IFA, along with location and photos, videos or audio files that contain a kid’s picture or voice are now classified as personal information.

]]>FTC Busts App Maker For Collecting Kids’ E-mail Addresseshttp://gigaom.com/2011/08/15/419-ftc-busts-app-maker-for-collecting-kids-e-mail-addresses/
http://gigaom.com/2011/08/15/419-ftc-busts-app-maker-for-collecting-kids-e-mail-addresses/#commentsTue, 16 Aug 2011 04:59:32 +0000http://paidcontent.wp.gostage.it/2011/08/16/419-ftc-busts-app-maker-for-collecting-kids-e-mail-addresses/Updated with response from app developer. When it comes to privacy law, the exploding world of mobile apps are pretty much the wild west. There’s no general-purpose federal law regulating privacy-except when it comes to kids. Broken Thumbs Apps, a maker of apps for kids, will have to pay $50,000 for violating the Children’s Online Privacy Protection Act, according to the terms of a settlement made public today.

The slapdown of Broken Thumb Apps, and its parent company W3 Innovations, are reminders that even as the Federal Trade Commission is considering asking Congress for new online privacy regulation, the agency also has rekindled its interest in tougher enforcement of the privacy laws it already is in charge of enforcing-especially ones that affect kids.

This is the second federal enforcement action this year over a COPPA violation. In May, Playdom agreed to pay $3 million to settle FTC charges it illegally collected information from children younger than 13.

The case against Broken Thumbs, though, is the first COPPA enforcement action involving mobile apps, and the agency’s statement made it clear that the same rules that apply on websites matter in the fast-growing app ecosystem. Parental consent is key “whether through a website or a mobile app,” said FTC Chairman Jon Leibowitz in a statement today. “Companies must give parents the opportunity to make smart choices when it comes to their children’s sharing of information on smart phones.”

The apps that got Broken Thumbs Apps in trouble include Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion. They were listed in the “Games-Kids” section of Apple’s App Store, from which they were downloaded more than 50,000 times, says the FTC. The problem was that the apps encouraged kids to email comments to “Emily,” and the company “collected and maintained” thousands of childrens’ email addresses as part of that process. The complaint alleges the company ultimately collected more than 30,000 email addresses.

The FTC’s COPPA Rule forbids the collection of any personally identifiable information online from kids younger than 13 without getting parental consent beforehand. The FTC complaint [PDF] also said that setting up a system that allowed kids to post allowing kids to publicly post information on message boards, which collected additional personal information. The system invited (but did not require) children using the system to publish their thoughts on the Emily’s Girl World blog using their full name.

In addition to the $50,000 payment, the settlement will require Broken Thumbs Apps and W3 Innovations to delete all the personal information they’ve collected thus far, and to not violate COPPA any more.

Update. A spokesperson for Broken Thumbs offered an e-mail response to the FTC action this on Tuesday, stating:

Broken Thumbs Apps is a small, family-run mobile application development company. We have created popular apps such as Movie Quizzle, Galaxy Getaway, and Emily’s Dress Up & Shop. We hold ourselves to the highest ethical standards, and our goal as a company is simply to build mobile apps that are fun and engaging for our users. To this end, we provided users with a means of interacting with one another and with our customer service department, which required the collection and retention of users’ email addresses. We did not ask for or collect information about the age of our users because there was no technical or functional need for this information. Our sole purpose in collecting email data was to improve the user experience with our apps; we never used any email address for marketing purposes or sold it to other firms.

Consequently, we were very surprised when we received notice from the FTC about possible COPPA violations. As soon as the FTC informed us of its specific concerns – and long before entry of yesterday’s order – we took corrective action. Any violations were inadvertent. But because our apps may appeal to young people, we have implemented a strict email policy that removes any possibility of collecting and retaining email addresses, even unintentionally, from users under the age of 13.

]]>http://gigaom.com/2011/08/15/419-ftc-busts-app-maker-for-collecting-kids-e-mail-addresses/feed/1Playdom Settles FTC Charges It Mishandled Childrens’ Private Infohttp://gigaom.com/2011/05/12/419-playdom-settles-ftc-charges-it-mishandled-childrens-private-info/
Fri, 13 May 2011 00:45:09 +0000http://paidcontent.wp.gostage.it/2011/05/13/419-playdom-settles-ftc-charges-it-mishandled-childrens-private-info/Even though no comprehensive online privacy law has yet been passed by Congress, the Federal Trade Commission has gotten busy in the last year enforcing privacy rules in a few areas in which it’s already empowered to act, like protecting children. Playdom will pay $3 million to settle FTC charges that it illegally collected information from children younger than 13, and then exposed that information online.

Playdom operated 20 “virtual worlds” websites where users could play online games, including 2 Moons, 9 Dragons, and My Diva Doll. According to the FTC, one of those sites, Pony Stars, was specifically aimed at children, and 821,000 users registered between 2006 and 2010. The other sites had more general audiences but also attracted 403,000 children who registered in the same time period.

The games that the FTC is concerned about were acquired by Playdom when it purchased Acclaim Games last year. Playdom was purchased by Disney a few months after the Acclaim acquisition.

The game sites did the same things that a lot of community-based websites do. The games featured “personal profile pages” and online community forums, and enabled-not required-users to “publicly post their full names, email addresses, instant messenger IDs, and location.” But the rules are different for kids, and under one of the few existing federal laws that deals with online privacy, the Children’s Online Privacy Protection Act or COPPA, Playdom should have provided proper notice and obtained parental consent before collecting or disclosing kids’ personal info.

The company has agreed to pay $3 million to settle the charges, and sign a consent decree that it won’t violate COPPA in the future. The complaint also personally named Playdom executive Howard Marks, who was CEO at Acclaim and continued to run the Acclaim games while at Playdom.

Disney (NYSE: DIS) didn’t immediately respond to a request for comment on the settlement.

» Copies of the Complaint, Exhibits, and Consent Decree are available on the FTC’s website